Customizing the Logon Screen

Windows Vista included a slightly improved Logon screen similar to the one that was used in Windows XP. Gone for good this time is the Windows NT-style classic Logon screen with which many domain users are familiar (because it was included in the last several releases of Windows). The new Welcome screen, as I called it in Windows XP, is here to stay, and is now your only choice for logging on. Not much changed except for a few visual enhancements that make the screen look more professional and make it fit in with the theme of the rest of the operating system.

In Windows Vista, Microsoft has done a lot of work on securing the logon system by digitally signing the logon components. This makes it next to impossible for anyone to modify the Logon screen files, so it greatly increases the security of Vista. Unfortunately, it also makes it next to impossible for people like us who want to customize the Logon screen; you can no longer just hack a system file and replace some resources in it. Now, if you hack a system file with a resource hacker and customize the images in it, the digital signature will be broken and the file will no longer be used by Vista.

The days of customizing the Logon screen are over for now until someone writes an application that extends the Logon screen or someone releases a patch that disables the requirement for the Logon screen system files to be digitally signed.

So, is this the end of customizing the Logon screen? Not at all! You can still do a lot of useful tweaks to the Logon screen that will give the Logon screen a personal touch, such a changing user pictures, hiding users, customizing the Logon screen screensaver, and more.

Changing user pictures

Each user who is set up on your computer can associate an image that appears next to his or her name on the Logon screen, as shown in Figure 1-4. By default, you have the option to select a picture for your account when you install Windows. However, the screen that allows you to pick an image offers only a small selection of the pictures available to you. In addition, if you do not like the images that Windows has to offer, you can select any image file.

Figure 1-4: The Logon screen with an image next to the user's name

The process of changing a user's image is simple. Just perform the following steps and you will have it changed in no time:

Click the Start button, and then click your user picture, as shown in Figure 1-5.

You will now be shown all the Windows user images that you can choose from. If you find one you like, click it, and then click the Change Picture button.

If you prefer a different photo, click Browse for more pictures to select and use any image file on your PC.

After you have selected your new image, your setting change is instantly applied. You can now close User Accounts and Control Panel.

Now you have changed your user image on the Logon screen; you have also updated the image used on the Start menu.

Hiding users on the Logon screen

One of the side effects of the new Logon screen is the list of all the user accounts on the computer. What if you created an account that you want only to run a service under? You do not want other users of your computer to even have the option to log on to that account because you designated it only to run a service. With the help of a simple Registry hack, it is possible to hide any account on the Logon screen so that it is no longer possible to log on to it (unless you turn on the Do not display last user name policy and manually type the username and password, as discussed later in this chapter).

Hidden away in the local system settings is the feature that Microsoft used in the past to hide system accounts from the Logon screen. In Windows Vista, the actual Logon screen hides system accounts, so the old method code was removed from the Registry. However, the functionality still exists. In the next few steps, I show you how to re-create the missing Registry code so that you can use this feature once again to hide your accounts:

Click the Start button, type regedit in the Search box, and then press Enter.

You must now create a new key. Right-click the Winlogon folder, select New, and then select Key. Name this new key SpecialAccounts.

Right-click the new SpecialAccounts folder, select New, and then select Key. Call this new key UserList.

Now you are ready to add the name of the account that you want to hide. To add a name, right-click and select a new DWORD value, as shown in Figure 1-6.

Figure 1-6: Using the Registry Editor to add another DWORD value for the name of a user who will be hidden on the Logon screen

When the new DWORD is created, enter the name of the user's account as the name of the DWORD. After you have done this, you can close the Registry Editor.

After you log off and back on or reboot, the user will not be displayed on the Logon screen. Keep in mind that no one will now be able to log on to this account interactively (as in having a graphical session). If you want to hide all accounts and just have a username and password box, the next section is for you. If you opt for that method, you can hide all accounts and still log on to them. You just need to remember the username and the password because no accounts will be listed any more.

If you ever change your mind and want the account to display on the Logon screen again, just delete the entry that you made in the list in the system registry, and everything will be back to the way it once was.

Clearing the last user logon

Every time you boot up your PC, all computer accounts and users who have logged on to it display on the Logon screen. This can be a big security risk because it shows the usernames of all accounts that someone can try to use to break into the computer. In addition, the Logon screen can become cluttered with user accounts. Therefore, it might be a good idea to enable the Do not display last user name policy. In previous versions of Windows that used the classic Logon screen, this policy would just clear the User name text box so that an attacker would have no clue about the last account used to log on. With the removal of the classic Logon screen in Vista, this policy behaves slightly differently by removing the Account list on the Logon screen and turning on basic User name and Password boxes, as shown in Figure 1-7.

Figure 1-7: Basic User name and Password boxes on the Logon screen

Using the policy is easy, if you choose to enable it. If so, just follow these steps:

Click the Start button, type secpol.msc, and press Enter.

When the Local Security Policy editor loads, navigate through Local Policies and then Security Options.

Locate the Interactive logon: Do not display last user name policy. Right-click it and select Properties.

On the Local Security Settings tab, select Enable, and then click OK.

Close the Local Security Policy editor and you are finished.

As soon as you log off or reboot, the new Logon screen settings will be present.

Changing the Logon screen screensaver

If you turn on your computer and let it sit at the Logon screen long enough, eventually the screensaver will appear. This setting can be tweaked so that you can set the screensaver that you want to see instead of the boring Windows default. Unlike changing your screensaver for your account when you are logged on, it is possible to change the Logon screen screensaver setting only by using the Registry. With the help of a few quick Registry hacks, you can fine-tune the screensaver that is displayed and other settings such as the screensaver Timeout value that determines how long before the screensaver is activated.

Follow these simple steps to customize your Logon screensaver:

Start the Registry Editor. Click the Start button, type regedit in the box, and press Enter.

When the Registry Editor starts up, navigate through HKEY_USERS\.DEFAULT\ Control Panel\Desktop.

Let's change the amount of time the system waits after the last activity was detected before starting the screensaver. To do this, right-click the ScreenSaveTimeOut entry and select Modify. The amount of time to wait is stored in seconds. By default, the system waits 600 seconds (10 minutes) before starting the screensaver. If you want to change this value to something shorter, such as 1 minute, just enter a new value, which for 1 minute would be 60. Then click OK to save your changes.

By default, the boring flat Windows Vista logo screensaver displays. Try something a little more exciting such as the Mystify screensaver. To do this, right-click and select Modify on the SCRNSAVE.EXE string value. Set the value to the full path of the screensaver you want to use. For example, I use C:\windows\system32\Mystify.scr for the Mystify screensaver. Refer to Table 1-1 for a list of Windows screensavers and the paths you can use. When you have finished making your change, click OK to save.

Table 1-1: Windows Vista Screensavers Open table as spreadsheet

Screensaver Name

Full path

Aurora

C:\Windows\System32\Aurora.scr

Bubbles

C:\Windows\System32\Bubbles.scr

Logon (Windows default)

C:\Windows\System32\logon.scr

Mystify

C:\Windows\System32\Mystify.scr

Photos

C:\Windows\System32\PhotoScreensaver.scr

Ribbons

C:\Windows\System32\Ribbons.scr

Blank Screen

C:\Windows\System32\scrnsave.scr

Vista

C:\Windows\System32\ssBranded.scr

3D Text

C:\Windows\System32\ssText3d.scr

Close the Registry Editor. You are now finished. After a reboot, you will see your new screensaver.

Displaying a security message

Would you like to display a message to your users before they can log on? Are any instructions necessary for users of your computers, such as "Do not shut down this computer!" or possibly a security warning informing unauthorized users that they are breaking the law if they try to log on to your laptop? All these are possible with the help of Group Policy. With just a few clicks, you can easily display a message to your visitors, as shown in Figure 1-8.

Figure 1-8: Security message on a Windows Vista Logon screen

Using the Local Security Policy editor, you can turn this feature on. Follow these steps to activate it on your PC:

Click the Start button, type secpol.msc, and press Enter.

When the Local Security Policy editor loads, navigate through Local Policies and then Security Options.

Locate the Interactive logon: Message title for users attempting to log on policy. Right-click it and select Properties.

On the Local Security Settings tab, type a title that you would like to use for your message and click OK.

Locate the Interactive logon: Message text for users attempting to log on policy. Right-click it and select Properties.

On the Local Security Settings tab, type your message and click OK.

Close the Local Security Policy editor; you are finished.

As soon as you log off or reboot, the security message settings will be activated.

Enabling Num Lock by default

If you have a password that has both numbers and letters and you frequently use the number pad to enter part of your password, this hack is for you. I cannot count the number of times that I started to type my password and was then presented with a logon error telling me that my password was incorrect. I would sit there staring at the screen for a second before I realized that Num Lock on my keyboard was not on.

This is a great hack for every desktop computer with a full-size keyboard with a separate number pad. Turning on Num Lock by default on a laptop is not a good idea because usually most laptops do not have a separate number pad. Enabling this feature on a laptop will result in almost half of your keyboard functioning as the number pad, and you would be much better off using the numbers above the letters. To get started, follow these steps:

Click the Start menu, type regedit, and press Enter.

When the Registry Editor loads, navigate through HKEY_USERS\.DEFAULT\Control Panel\Keyboard.

Locate the InitialKeyboardIndicators entry, right-click it, and select Modify. To enable Num Lock, enter 2 into the box. If you want to disable it, enter 0 into the box.

Then click OK to save the changes. That's it!

If you are on a laptop and you attempted to enable Num Lock even though I told you not to and need to fix your system, repeat the preceding directions but replace the value of InitialKeyboardIndicators with 0 to disable the feature.

Changing the Logon screen background

How would you like to be able to customize the background image used on the Logon screen just as easily as you change the background image of your desktop? With a cool and free utility from Stardock, this is now possible. The logon in Windows Vista is nice looking and much better compared to XP. However, if you are like me, and you probably are if you are reading this book, you want to customize the background your way. This section shows you exactly how to do that using Stardock LogonStudio for Windows Vista.

Let's get started. First, head over to http://www.stardock.com and download a copy of the latest version of LogonStudio for Windows Vista and install it. When you have finished, follow these steps to change your logon background:

Click the Start button, type LogonStudio, and press Enter.

When you install LogonStudio, a few logon backgrounds will come pre-installed. Just click a background and click Apply to change the logon background.

To use your own image, click Create a new Logon screen from the side menu.

Type in a name and then click the Browse button to locate your image, as shown in Figure 1-9.